Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

[Boucher, William]

Gary,

Similar results with Ububtu 16.04. Not all results were notapplicable, score 
was given as 25%.

After building openscap and ComplianceAsCode/content I ran:

sudo oscap xccdf eval –profile standard –results ./xccdf-results.xml –cpe 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-cpe-dictionary.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-xccdf.xml

sudo oscap oval eval –results ./oval-results.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-oval.xml

sudo oscap xccdf generate report –oval-template ./oval-results.xml 
./xccdf-results.xml > ./report-xccdf-oval.html

15 rules passed, 6 inconclusive (unknown) and all the rest (24) notapplicable.

Running:

sudo oscap xccdf eval –profile standard –results-arf ./results-arf.xml –report 
./report-ds.html –results ./results-ds.xml 
/usr/local/share/xml/scap/ssg/content/ssg-ubuntu1604-ds.xml

produced the same numbers in the ds-generated report.

I see the value in using the data stream. But the “notapplicable” items are 
largely applicable and should be evaluated.

                --Bill

William B. Boucher, BSEE
Embedded Systems Software Engineer
Information Systems Security Manager
MZA Associates Corporation
4900 Lang Ave. NE, Suite 100
Albuquerque, NM 87109-9708
Phone: 505.245.9970 x166
Fax: 505.245.9971
Cell: 505.459.7620
william.bouc...@mza.com<mailto:william.bouc...@mza.com>

From: Gary Gapinski [mailto:gapin...@nasa.gov]
Sent: Friday, January 25, 2019 9:50 AM
To: Boucher, William <william.bouc...@mza.com>
Cc: open-scap-list@redhat.com
Subject: Re: [Open-scap] Benchmark for Canonical Ubuntu 16.04 LTS

On 1/25/19 10:33 AM, Boucher, William wrote:
Thank you, Gary! I will attempt next to duplicate your process with Ubuntu 1604.

I may as well but cannot guarantee timeliness.
If I am building OpenSCAP over my previous install of the libopenscap8 package, 
do I need to remove libopenscap8 first or can I just make-install over it?

I place the OpenSCAP install in /usr/local and ensure it is used separately and 
preferentially (via $PATH) rather than the one from the distro (or just not 
install from the distro). I use cmake-gui ../ from within the openscap/build 
directory and change CMAKE_INSTALL_PREFIX to /usr/local (cmake-gui, tweak, 
configure, generate; make; sudo make install). Installing on top of the distro 
version will likely cause undesirable results.

I do not typically install ComplianceAsCode but simply access the content from 
the cloned (and built) repo, but if you install it I think it best to choose 
the same installation target (e.g., /usr/local) as that of OpenSCAP.

A functional (and available) install of OpenSCAP is a pre-requisite for 
building ComplianceAsCode.

Regards,

Gary
--

Gary Gapinski — DB Consulting Group
NASA Glenn Research Center
℡ +1 216 433 3959<tel:+1%20216%20433%203959> — office
℡ +1 216 820 1849<tel:+1%20216%20820%201849> — mobile
gapin...@nasa.gov<mailto:gapin...@nasa.gov>

_______________________________________________
Open-scap-list mailing list
Open-scap-list@redhat.com
https://www.redhat.com/mailman/listinfo/open-scap-list